18
93 Comments

How long does it take you to implement login/sign up?

Hello!

I'm curious how long it takes you to create login and sign up for your app. This includes the front end and backend development. Your answers will help me in planning out my own project.

Thanks!

  1. 18

    If you use a pre-built starter project or offload much of the backend to a 3rd party like Cognito or Auth0 then you could cut the time significantly (those can also take care of sending emails and provide the initial frontend UI flows).

    However if you're coding it all yourself it will realistically take a few days.
    For a regular user/pass system you would have the following to build:

    • Signup: The sign up screen -> Send verification email -> email has link to confirmation screen.
    • Login screen (Possible social login support too)
    • Forgot password: The forgot password screen -> Send email -> email has link to a reset screen
    • Change password (in-app)
    • Change email (in-app) and sending a re-verification email etc
    • All backend calls need to validate the session and redirect user to login if session expires.
    • After signup or change of email the user's email account is 'unverified' until they click the link in the email, so your app needs to handle that state appropriately.

    There is a lot to do there and the UI work alone could take some time, not to mention designing and sending the emails. The backend work (at most) may involve databases, caches, hashing/encryption and mailservers.

    This is also assuming you don't plan to send any marketing emails to EU customers, if you do then you also have to include GDPR opt-ins on the signup, keep records of their confirmations, and provide a screen for them to later opt-out of emails.

    1. 6

      Great answer. I went through all of this myself recently. It takes a lot longer than you think, particularly if you go down rabbit holes at each stage.

      It also depends a lot on how you manage or utilise the user data you get during sign up for their experience on the application. In my case I needed to move around quite a few things to provide them with their custom environment.

      And you will run into lots of small things, verification email testing takes a minute and using test inboxes etc. Finding the right providers. It goes on.

      If you're just providing the same experience for every user then go with a Google sign in or something.

    2. 1

      Thanks for the detailed response! Thats really helpful to see the time involved. Quite a few things to build there!

  2. 5

    Firebase Auth (especially with Firebase UI) takes maybe an hour or two (probably faster if you've had experience with it before).

    1. 1

      I didn't know they had ui. How much customization can you do?

      1. 2

        Yup, they do! Here's the repo for it: https://github.com/firebase/firebaseui-web. They also have a specific library for React and maybe some other frontend frameworks as well.

        They have a built-in UI which I think you can override using CSS (but I haven't really tried it). From what I've heard, it's kind of hard to customize their UI, so it's mostly just used as a quick solution out-of-the-box.

    1. 1

      Could you elaborate on this a bit more? Do you start with any template or third-party tools? I find it hard to believe that coding a login flow, change password, session and user storage and management, UI, etc from scratch could take less than a day regardless of years of experience unless you use some templating/scaffolding tools

      1. 1

        You can make the login/user management arbitrary complex, and you can spend easily one day on the email templates only. Many comments here also show that most of the web framework comes with some level of the solution already, so you almost never start from scratch. Having said that, just recently implemented password-based login/signup/password reset and basic user profile management with email and UI with JWT based session management in Go from scratch in a 7.8 hours long coding session according to my log. However, you are right that it is only possible if you know exactly what and how you do it where the experience can help a lot to make the right choices for the first take. (Also helps a lot if you are doing it for yourself instead of for a client ;) )

    2. 1

      Thanks! How long have you been doing software development?

  3. 4

    About 30 seconds.

    Laravel out of the box or firebase.

    1. 1

      Does firebase have ui for login/signup as well?

      1. 2

        If you use their login with their social media you do. But if you are using email, then no.

        <div id="login">
            <input type="email" placeholder="Email">
            <input type="password" placeholder="Password">
            <button>Login</button>
        </div>
        

        Boom! Just connect that to your sign in method with firebase which is a one liner.

  4. 4

    Comes free with Django :)

    1. 1

      How does that work? Still anything to set up? Takes no time?!

      1. 2

        https://github.com/pydanny/cookiecutter-django

        If i'm using react I have the code from previous projects I just copy that.

      2. 1

        You can also check Django AllAuth (which is what cookiecutter bundles). It takes MUCH longer to setup the tokens for the API's you want to use than the login backend/frontend itself.

  5. 3

    You can get a lot of those features out-of-the-box with Alpas. It's like a Laravel but for the Kotlin/JVM world.

    1. 1

      Interesting. Every framework seems to have their own flavor.

  6. 3

    10-20 minutes if your stack is Ruby on Rails, using devise.

    1. 1

      Does that include all the features that @daveagill mentioned? Everything that is tied into auth?

      1. 2

        I'm not sure about the change email feature, and adding auth with social accounts would take a bit longer, but yeah. Devise has all that.

        https://github.com/heartcombo/devise

  7. 3

    Ruby on Rails devise gem. Not more than 1 hour.

    1. 1

      Does that include all the features that @daveagill mentioned? Everything that is tied into auth?

      1. 2

        Yes. But it has just few fields like email password. You can create migrations to add fields like address name etc

        1. 1

          It includes the needed emails for reset password and such?

          1. 2

            Is your question does it include the ability to reset password via e-mail? Yes it does.

            1. 1

              yes it was. thanks!

  8. 3

    Took me about 2 days:

    • .Net Core have Authorization built-in so I configured it to use JWT tokens
    • Adding the JWT package to Angular and making a login form.

    The longest part is building the register code to determine how do you want to setup a new user.

    I think it's faster when using external provider (Google, Twitter ...) but you have to read their documentation :)

  9. 3

    Setting up the API with proper logging, testing, and database management can take a while.

    How do you send your "forgot password" email? Do you integrate with SendGrid? Do you test this integration? Do you write an abstraction layer in between in case you want to move to another provider?

    What database do you use? Do you abstract over it? What happens when the database is down?

    It very much depends on how holistic you want to be.

    1. 1

      Right! there can be lots of edge features.

  10. 3

    It really depends on your stack. For exampe, I'm using Laravel for Sitesauce, which includes all the required backend for authentication and only leaves the frontend to the coder, so it took me around a day to have working authentication.

    I've also seen Firebase used to add authentication to frontend/node apps in minutes, and pure PHP projects do it in weeks, so it really depends. Maybe give more details about what you plan on using?

    1. 1

      Thanks for the info! Thats helpful. I'm more so wondering about the different solutions out there. I have been looking into https://auth0.com. but seems like it may be over kill.

      1. 2

        Noah

        It all depends on what your requirements are I guess. Auth0 is a nice abstraction where you can utilise their tooling on top of the OAuth/OAuth2 protocol which uses Access Tokens. Does your app warrant such security & flexibility? I think its language agnostic so you can hook into it using APIs.

        Firebase provides a nice authentication abstraction also. It abstracts in that its authentication provider allows you to hook in OAuth2 protocol providers (such as Google) and also OAuth (Twitter) as well as Facebook, and user managed username & password. IMO, Firebase Auth is an easy decision if you are using the Firebase platform as it has nice additional features that allow you to manage your users within the platform tooling.

        It also takes away any headaches around management of access tokens (which depending on which flow you require can be quite tricky). Having personally experienced this type of headache, it cannot be undervalued IMO.

        If you can explicitly define what your user & security requirements are, then it may be easier to advise further

        1. 1

          Thinks Thunk! That opinion definitely helps! I don't have user & security requirements yet. But knowing the different options will help me make that decision!

      2. 2

        I've personally never tried Auth0, but I understand it's similar to Firebase Auth? Anyway, if you can get it working in less than a day, I'd recommend you to go for it!

  11. 2

    I use Firebase authentication, they have CDN for the SDK urls. Max 30 minutes is up and running with facebook, twitter, google account, email, phone account...

  12. 2

    To do it properly from scratch, at least a week.

    There are a lot of other aspects to consider when building a secure app that most people don't even think about, like:

    1. Protecting the sign-up form from bot attacks
    2. Protecting against brute force attacks
    3. Enforcing password complexity rules
    4. Risk level assessment of new sign-ins
    5. Notifying users of suspicious sign-in attempts
    6. Blocking high risk sign-in attempts and providing secondary means of authentication
    7. Penetrating testing
  13. 2

    It's very fast, definitely under half an hour. Phoenix Framework comes with auth generators (made by Jose Valim, the creator of both the Elixir language and the Devise gem for Rails many years ago).

    I really like the generator approach over a separate library or service because it makes it much easier to expand or shape it to fit your application's business logic.

    In the past, I've used separate auth libraries, Auth0 and other approaches and found them more of a pain.

  14. 2

    Circled back to this as I've just finished getting login/signup working for my MVP. Basically, took me 2 days with Auth0 with no prior experience of it. I won't say it was easy, but I probably didn't do enough background reading before jumping into it.

    I read the Auth0 instructions yesterday afternoon, set up a trial account, downloaded their sample application for python, and got it running on my local environment. I actually lost time by doing that backwards - I didn't bother with the instructions and tried to tinker with the sample app, realized I'd better spend an hour or so reading up on it and watching some of their short videos.
    Today I branched my Flask application and pretty much copied the sample code into the appropriate places. After a few hours and errors (all mine), I got authentication working on my local app.
    Next step is to set up Auth0 for a Production environment, deploy my changes to AWS, and do a full round of testing. Should take about half a day, which is why I say 2 days in all.

    1. 1

      Thanks for the detailed report! Thats good to know. Auth0 can do a lot of things. In that time did you set up basic login signup? Does that include reseting password and reset email. Also validate email? Thanks!

      1. 2

        Yes, I set up signup and I tested resetting password by the user. Also tested validation of the email. I will note that I thought that the validation wasn't working because it took over 10 minutes for the email notification to arrive. That isn't good, but I'm not using a separate email provider as of yet. You have the option of using a few different providers including AWS and SendGrid. I'd hope that option would have less latency.
        The registration/signup/resetting stuff doesn't require additional coding, you use their admin pages to turn this stuff on or off e.g. you can disallow user registration etc. You can also turn on social sign-in (e.g. Google) by setting an option without code. It seems to be turned on by default, took me a bit of hunting to turn it off :-)

        1. 1

          Thanks for the info! Thats helpful.

  15. 2

    Build a login signup system from scratch
    with all the features such as forgot password or access control system if you may .
    Then keep this as a specimen. Just copy paste it in your new project and fine tune in as per your requirements.
    At least this would save a lot of time in your future projects.

  16. 2

    10 minutes. I use QUIQQER. It's all in there. FB, Google, Mail Registration with Login + Profile stuff

  17. 2

    Core backend logic doesn't take long when using a framework like Laravel. One can have authentication working in an hour. The more time consuming part is the design of the front end. Using the default templates that come with your framework may not be the most presentable when you're building a brand.

    1. 1

      A lot of others may not be taking that into account. They more so are probably talking about the happy path only.

  18. 2

    Far, far too long... That's why I built this boilerplate: https://github.com/rails-boilerplate-code/base-template/blob/master/README.md (though it goes far beyond just login/signup)

    1. 1

      About how long did it take you?

      1. 2

        Didn't track it, but long enough that I recognized it was too long to do over and over for each new project and this boilerplate was a faster path to victory :-)

  19. 2

    With a framework like laravel, it takes me minutes. Literally. Here are the steps:

    1. laravel new <projectname>
    2. php artisan migrate
    3. php artisan make:auth

    Done. A default login page and registration page is setup at /login and /register. You can of course now go and change the fields in registration or update the User model as needed but the most basic authentication/registration is done.

    You of course would need to apply custom css as needed afterwards. It comes with default bootstrap styling.

    1. 2

      thanks for the details! Seems like backend frameworks are much easier for this!

    2. 1

      take a little more now that they moved the ui and auth to a separate package, but still pretty quick with laravel.

  20. 2

    Stack: klein.php (PHP) + MongoDB => roughly 20 minutes for the core signup, login, logout and authentication.

    Another 2-4 hours for the whole email stuff, including designing fancy responsive email templates.

    1. 1

      Pretty fast! So that stack is all backend side right?

      1. 2

        Backend and frontend. Have come to love MongoDB, just pipe form data directly into the database. Login sets cookies + does a single call to the database and authentication checks for the cookie and if valid in the database. This honestly, takes about 5 minutes if done in a basic fashion.

        the rest of the 15 minutes is 14 minutes coding the various forms for the frontend and 1 minute to figure out how to name the various input fields to be stored in MongoDB.

        Here is rough (on top of my head) quickstart guide:

        cd /var/www/myproject
        composer require klein/klein mongodb/mongodb daniel-zahariev/php-aws-ses
        (the last one is to send emails through Amazon SES, replace with whatever you fancy)

        cd vendor
        mkdir blah
        cd blah
        vi Helper.php
        (add PSR-4 Class/Functions for Login, Logout, Registration and IsUserLoggedIn :) )
        cd ..
        vi composer.json (add this to the end of the file)
        ,
        "autoload": {
        "psr-4": {
        "blah\\": "vendor/blah"
        }
        }
        rm composer.lock
        composer update

        vi index.php
        <?php
        require_once DIR . '/vendor/autoload.php';
        $kl = new \Klein\Klein();

        $kl->respond('/', function ($request, $response, $service) {
        $service->render('views/homepage.php');
        });
        $kl->respond('/login', function ($request, $response, $service) {
        $service->render('views/login.php');
        });
        $kl->respond('/logout', function ($request, $response, $service) {
        \blah\Helper::Logout();
        });
        

        adding and checking the DB to add and check users is as simple as doing this in your Helper.php file:

        $m = new MongoDB\Client("mongodb://localhost:27017");
        $create = $m->blah->accounts;
        $create->insertOne($data);
        1. 1

          Thanks! Its interesting to see your steps in that specific stack.

  21. 2

    Login is simple if you are not separating Frontend from Backend via an API. For instance using Ruby on Rails with it's standard ERB templating and Devise, you can get a fully fleshed out Login within a few minutes. But if you use Angular or Vue or React on the Front end then you will have to build a Login API and that can take a few hours if you are knowledgeable about building such things.

    1. 2

      Thanks! that helps clarify it up a lot! The difference between an all backend app and a fronted and backend separated app.

      1. 2

        np, I had a similar problem a few weeks ago. I thought, oh this will be easy. And then boom, chaos ensued. lol

  22. 2

    How long would it take if I go with Auth0 + Google login for a React app?

  23. 2

    At most 1 hour, including initial project setup.

    For basic systems we build on wordpress, in which case login takes 1 nano second.

    For complex apps we use laravel, in which case add Auth scaffolding, install Socialite for google/facebook etc. Copy a few standard controller/view files from a prior project, setup oauth keys and done. All working and tested with email plus social login active.

    Some apps use a tool for quick model and admin generation, in which case same 1 hour has auth, admin login, roles, permissions and more, ready to tweak and launch.

    1. 1

      Is there a good amount of knowledge you would have to have about auth as a developer to implement the laravel version? Or can one get away with not understanding everything behind the security?

      Also, Laravel is a backend only framework correct? It seems like frontend and backend apps seperated apps are more difficult.

      1. 2

        You can follow the setup and installation guide of laravel Auth and the official addon socialite and you will have a strong base auth in place.
        CSRF, Brute force, strong passwords, rate limiting etc are all typically enabled as standard.
        Though a base knowledge will still be useful since any changes you make could open up security issues which were previously prevented.

        Laravel can be backend and/or front end.
        It is often used to deliver full HTML, powering the entire site.
        It can also be used with front end frameworks (eg. react/angular/vue) which will then create the front end with data and functions provided by the laravel powered API.
        Both routes have strong Auth systems built in which you can use out of the box or modify as needed.

  24. 2

    1 day or less using Firebase.

  25. 2

    If you use Ruby on Rails with the Devise gem (package), it'll take around 10 minutes if you've done it before.

    One mistake I made at the beginning was even though I was pretty good at RoR, I decided to build a GraphQL API in Node.js and frontend in Nuxt.js, and I wasted a lot of time trying to build the frontend, backend and setting up authentication.

    I realised using what you're already familiar with will save you a lot more time, than using something that does it "better"

    1. 1

      so the reason nuxt and node took more time because it is a frontend and backend separated app, right?

      1. 2

        Yes! and also because I'd never used that frontend framework ever before.
        The features that took me 2 weeks to build using separate frontend and backend took me a day to build using RoR

  26. 2

    Maximum of 10 minutes with pre-built components ;)

    1. 1

      is that cheating? haha. just kidding.

      1. 2

        Work smart not hard

  27. 2

    I use Django, so I really just pull over the auth package from another project, customize some templates and I'm done. Usually one of the first tasks, takes 1h.

  28. 2

    Check out google's Firebase, as that has an easy-to-implement auth ability. And you aren't required to use the database if you don't want to, you can do just the authentication.

  29. 2

    Hopefully don't do one from scratch like ever unless your super into security and it's like a core feature or something...

    There are many small details that matter a lot for security and people f them up all the time.

    Most framework in any language have something more than half decent ready within a few clicks.

  30. 2

    I assume you are not that experienced in full-stack development. I moved from Frontend to fullstack with JavaScript, especially NodeJS / MongoDB (MERN Stack). And it took me 2 days with a Udemy course.

    You also need to keep in mind the hard part is not the backend, the hart part is the frontend where you need to deal with all the errors and things depends to the user. It takes definitely more time than the backend stuff :)

    It really depends on your stack and experience with the languages you are using. I would recommend you to look for a good online course – helped me a lot!

    Cheers

    1. 1

      So you didn't find any libraries or components that helped you do it with NodeJS or javascript?

  31. 2

    Around 10-12 hours in all in a new stack. Much less if its a new project with a stack I've worked with earlier as I can simply copy things over :)

    1. 2

      By the way, this estimate includes stuff like resetting passwords, sending reset mails etc.

      1. 1

        Thanks for the clarification!

  32. 1

    Hi man. There are usually five to seven phases in general Software Development Life Cycle (SDLC) models - all of which have different time frames attached to them.

    Planning and Requirements - two to four weeks
    Design and Architecture - two weeks
    Development and Coding - three to eight months
    Implementation - two to four weeks
    Testing and Maintenance - three to six weeks
    Production - three weeks or more

    but small-scale projects usually require fewer modules, less API programming, less integration with other systems, and less QA testing. This is due to the simpler nature of a small-scale project. Then it usually require a fewer time frame.

  33. 1

    WIth Rails and Devise, around 1-2 hours. But it's pretty basic.

  34. 1

    If you follow this YouTube series, you should be able to implement login & sign up in under 20 hrs. I would recommend using.

    Firebase for backend (authorization sign up of email and password as well as storing users in Firebase database) and then React for frontend. Lots of templates online.

    https://www.youtube.com/watch?v=Oi4v5uxTY5o&list=PL4cUxeGkcC9iWstfXntcj8f-dFZ4UtlN3

  35. 2

    This comment was deleted 4 months ago.

    1. 1

      Nice one, using BCRYPT is a good start! How about Argon2id? :)

    2. 1

      Good thought. For that first time would you have considered buying a service that helped implement it for you?

      1. 2

        This comment was deleted 4 months ago.

        1. 1

          Ahhh, that makes sense. You would be locked in. So auth0.com which I think is a popular one would lock you in or firebase.

          1. 2

            With an enforced password change you can migrate users between auth services. Some frameworks like Django even supports such a migration.

Recommended Posts